Chinese websites have recently been targeted by a drive-by download campaign that dropped a Distributed Denial of Service (DDoS) bot by the name of Avzhan, a malware that has been around since 2010.
The most recent attacks were spotted by Malwarebytes Labs researchers, who say that the bizarre patterns of this particular drive-by download were not advanced, but they did demonstrate the use of several different exploits to distribute malware.
“For years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China,” Malwarebytes researcher Jérôme Segura explains.
The researchers spotted the campaign after analysing compromised sites that loaded external content through iframes and scripts.
Some of those sites hosted cryptomining malware, however some redirects lead to a server that hosts several exploits.
Those exploits include three that target vulnerabilities in ActiveX, Flash Player and Internet Explorer.
The ActiveX vulnerability (CVE-2008-2551) is an old vulnerability that affects the C6 Messenger ActiveX control. The malware creator used old malware code and changed the download URL to point to their own malware.
The Flash vulnerability (CVE-2015-5119) is also an older vulnerability that affects all versions of flash up to version 188.8.131.52. Malwarebytes researchers say this code was taken from a proof-of-concept and in this instance, causes instability in the browser which may cause it to crash.
The Internet Explorer vulnerability (CVE-2016-0189), also known as ‘God Mode’, was ‘commented out’, researchers explain.
All vulnerabilities were exploited to drop the Avzhan DDoS bot, which registers itself as a Windows Service.
Although researchers didn’t catch the bot in the act of conducting DDoS attacks, its capability is clearly evident in the code.
The malware has been lurking for several years but researchers say it is anything but sophisticated. It has not really changed – instead only modifications were made to hide the malware better and to add further configuration.
“Although we see the use of several exploits, we cannot call this an exploit kit—not even an amateur one. Indeed, the domain serving the exploits appears to be static and the URIs are always the same,” Segura says.
“Regardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there. While not very effective, they may still be able to compromise some legacy systems or machines that have not been patched.”